OAuth: Implement Authorization Server Issuer Identification (ISS)

- This patch implements ISS checking according to RFC 9207 https://datatracker.ietf.org/doc/html/rfc9207 - This tries to prevent so called "mix-up" attacks where the client is fooled into authorizing with an honest AS through a malicious entity
author: jwijenbergh <jeroenwijenbergh@protonmail.com> 2022-10-17 10:51:35 +0200
committer: jwijenbergh <jeroenwijenbergh@protonmail.com> 2022-10-17 10:51:35 +0200
commit: 4e834896a1c68cd536971dcfff7c3afbcff637ae (patch)
tree: 5614ed19ec512904d1f09773ed607c8550116961 /internal/server/common.go
parent: d615578b89f1f10d0f057315a58a29c30f1f8693 (diff)
1 files changed, 14 insertions, 1 deletions
diff --git a/internal/server/common.go b/internal/server/common.go
index fcba07f..2ab282d 100644
--- a/internal/server/common.go
+++ b/internal/server/common.go
@@ -253,8 +253,21 @@ func ShouldRenewButton(server Server) bool {
 	return true
 }
 
+func GetISS(server Server) (string, error) {
+	base, baseErr := server.GetBase()
+	if baseErr != nil {
+		return "", &types.WrappedErrorMessage{Message: "failed getting server ISS", Err: baseErr}
+	}
+	// The base URL does not end with a /, but the ISS does
+	return base.URL + "/", nil
+}
+
 func GetOAuthURL(server Server, name string) (string, error) {
-	return server.GetOAuth().GetAuthURL(name, server.GetTemplateAuth())
+	iss, issErr := GetISS(server)
+	if issErr != nil {
+		return "", issErr
+	}
+	return server.GetOAuth().GetAuthURL(name, iss, server.GetTemplateAuth())
 }
 
 func OAuthExchange(server Server) error {
author	jwijenbergh <jeroenwijenbergh@protonmail.com>	2022-10-17 10:51:35 +0200
committer	jwijenbergh <jeroenwijenbergh@protonmail.com>	2022-10-17 10:51:35 +0200
commit	4e834896a1c68cd536971dcfff7c3afbcff637ae (patch)
tree	5614ed19ec512904d1f09773ed607c8550116961 /internal/server/common.go
parent	d615578b89f1f10d0f057315a58a29c30f1f8693 (diff)